HT4748: OS X Server: Configuring PPTP
Learn about OS X Server: Configuring PPTP
-
All replies
-
Helpful answers
-
Jun 1, 2015 12:35 PM in response to jlgtxby jlgtx,OK...per experimentation, it would appear that L2TP works with Local Users, but PPTP does not. However, the PPTP VPN process should be able to authenticate against the built-in RADIUS server, which does work with Local Users. The question is, how do I make this happen? Google is only vaguely my friend here; I've managed to get the RADIUS service configured:
# dseditgroup -o create -n . -r RADIUS com.apple.access_radius
# radiusconfig -setconfig auth yes
# radiusconfig -setconfig auth_badpass yes
# radiusconfig -setconfig auth_goodpass yes
# radiusconfig -installcerts /etc/certificates/<server_cert_string>.key.pem /etc/certificates/<server_cert_string>.cert.pem /etc/certificates/<server_cert_string>.chain.pem
# radiusconfig -setcertpassword
Enter Certificate Passphrase: Apple:UseCertAdmin
# radiusconfig -start
After adding a user "testuser" to the com.apple.access_radius group, I can then run a successful test using the built-in configuration for localhost:
# time echo "User-Name=testuser,User-password=testpass,Framed-Protocol=PPP " | radclient -x -r 1 -t 10 localhost:1812 auth testing123
Sending Access-Request of id 106 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "testpass"
Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=106, length=32
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
real 0m6.658s
user 0m0.018s
sys 0m0.009s
One concerning issue is the fact that it takes almost 7 seconds for the RADIUS server to respond, but at least it does work.
Now I need to configure PPTP to use the RADIUS server. I create a text file "vpnrad" with the following contents:
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "testing123"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "127.0.0.1:1812"
Then I use "serveradmin settings < vpnrad" to pull those settings into the VPN config. That works. But the PPTP service doesn't appear to be hitting the RADIUS service at all. I've tried the "Address" key both with and without the port (1812) tagged onto it, same behavior either way. The RADIUS log shows no hits, and the VPN log shows:
2015-06-01 14:15:40 CDT Incoming call... Address given to client = 10.0.77.95
Mon Jun 1 14:15:41 2015 : Directory Services Authentication plugin initialized
Mon Jun 1 14:15:41 2015 : Directory Services Authorization plugin initialized
Mon Jun 1 14:15:41 2015 : publish_entry SCDSet() failed: Success!
Mon Jun 1 14:15:41 2015 : publish_entry SCDSet() failed: Success!
Mon Jun 1 14:15:41 2015 : publish_entry SCDSet() failed: Success!
Mon Jun 1 14:15:41 2015 : PPTP incoming call in progress from '50.24.10.202'...
Mon Jun 1 14:15:41 2015 : PPTP connection established.
Mon Jun 1 14:15:41 2015 : using link 1
Mon Jun 1 14:15:41 2015 : Using interface ppp1
Mon Jun 1 14:15:41 2015 : Connect: ppp1 <--> socket[34:17]
Mon Jun 1 14:15:41 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:15:41 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:41 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:15:41 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:44 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:15:44 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:44 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:15:44 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:47 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:15:47 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:47 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:15:47 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:50 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:15:50 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:50 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:15:50 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:53 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:15:53 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:53 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:15:53 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:56 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:15:56 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:56 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:15:56 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:59 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:15:59 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:15:59 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:15:59 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:16:02 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:16:02 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:16:02 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:16:02 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:16:05 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:16:05 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:16:05 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:16:05 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:16:08 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5d1957d5> <pcomp> <accomp>]
Mon Jun 1 14:16:08 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:16:08 2015 : lcp_reqci: returning CONFACK.
Mon Jun 1 14:16:08 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x20195db4> <pcomp> <accomp>]
Mon Jun 1 14:16:11 2015 : LCP: timeout sending Config-Requests
Mon Jun 1 14:16:11 2015 : Connection terminated.
Mon Jun 1 14:16:11 2015 : PPTP disconnecting...
Mon Jun 1 14:16:11 2015 : PPTP disconnected
2015-06-01 14:16:11 CDT --> Client with address = 10.0.77.95 has hungup
-
Jun 2, 2015 11:55 AM in response to jlgtxby jlgtx,This is the VPN log output when a Local User tries to connect via PPTP:
2015-06-02 13:49:40 CDT
Incoming call... Address given to client = 10.0.77.101 Tue Jun 2 13:49:40 2015 : Directory Services Authentication plugin initialized
Tue Jun 2 13:49:40 2015 : Directory Services Authorization plugin initialized
Tue Jun 2 13:49:40 2015 : publish_entry SCDSet() failed: Success!
Tue Jun 2 13:49:40 2015 : publish_entry SCDSet() failed: Success!
Tue Jun 2 13:49:40 2015 : publish_entry SCDSet() failed: Success!
Tue Jun 2 13:49:40 2015 : PPTP incoming call in progress from '70.196.78.203'...
Tue Jun 2 13:49:41 2015 : PPTP connection established.
Tue Jun 2 13:49:41 2015 : using link 0
Tue Jun 2 13:49:41 2015 : Using interface ppp0
Tue Jun 2 13:49:41 2015 : Connect: ppp0 <--> socket[34:17]
Tue Jun 2 13:49:41 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x733b2b1a> <pcomp> <accomp>]
Tue Jun 2 13:49:41 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x17d149d0> <pcomp> <accomp>]
Tue Jun 2 13:49:41 2015 : lcp_reqci: returning CONFACK.
Tue Jun 2 13:49:41 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x17d149d0> <pcomp> <accomp>]
Tue Jun 2 13:49:44 2015 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x733b2b1a> <pcomp> <accomp>]
Tue Jun 2 13:49:44 2015 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x17d149d0> <pcomp> <accomp>]
Tue Jun 2 13:49:44 2015 : lcp_reqci: returning CONFACK.
Tue Jun 2 13:49:44 2015 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x17d149d0> <pcomp> <accomp>]
Tue Jun 2 13:49:44 2015 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x733b2b1a> <pcomp> <accomp>]
Tue Jun 2 13:49:44 2015 : sent [LCP EchoReq id=0x0 magic=0x733b2b1a]
Tue Jun 2 13:49:44 2015 : sent [CHAP Challenge id=0x10 <681a6b63727e7b1d0242010c1f172511>, name = "server_fqdn.com"]
Tue Jun 2 13:49:44 2015 : rcvd [LCP EchoReq id=0x0 magic=0x17d149d0]
Tue Jun 2 13:49:44 2015 : sent [LCP EchoRep id=0x0 magic=0x733b2b1a]
Tue Jun 2 13:49:44 2015 : rcvd [LCP EchoRep id=0x0 magic=0x17d149d0]
Tue Jun 2 13:49:44 2015 : rcvd [CHAP Response id=0x10 <8fb162434e91ead66ff3bd6344cf461e000000000000000009f982e07a158a7c31d62a7c2571fc e4113c5967ab32305300>, name = "testuser"]
Tue Jun 2 13:49:52 2015 : DSAuth plugin: unsupported authen authority: recved Kerberosv5;;testuser@LKDC:SHA1.48C48F920285753FE8EC5A1DE8113FF79618CC46;LKDC:SH A1.48C48F920285753FE8EC5A1DE8113FF79618CC46, want ApplePasswordServer
Tue Jun 2 13:49:52 2015 : DSAuth plugin: MPPE key required, but its retrieval failed.
Tue Jun 2 13:49:52 2015 : sent [CHAP Failure id=0x10 "S=A6417FB4D646E7ACFA53B70F24AACCCDB754BD4C M=Access granted"]
Tue Jun 2 13:49:52 2015 : CHAP peer authentication failed for textures
Tue Jun 2 13:49:52 2015 : sent [LCP TermReq id=0x2 "Authentication failed"]
Tue Jun 2 13:49:52 2015 : Connection terminated.
Tue Jun 2 13:49:52 2015 : PPTP disconnecting...
Tue Jun 2 13:49:52 2015 : PPTP disconnected
2015-06-02 13:49:52 CDT --> Client with address = 10.0.77.101 has hungup